Allowing unfettered use of mobile messaging creates compliance and security issues
It is widely understood that substantial computing power is now available in a device that slips into the pocket. With great power comes greater risk, though. Mobility and mobile messaging have empowered employees and, as the financial services sector recently discovered, broken down vital areas of customer and employee trust, contravening important compliance measures. Business, technology, and security leaders need to embrace mobile messaging but also guarantee security.
Last autumn, eight well-known and trusted banks, together with 15 of their brokerages and dealing employees, received fines totalling $1.1 billion from the Securities and Exchange Commission (SEC). Those fines were penalties resulting from the use of consumer mobile messaging by brokers and dealers.
Appropriately conducting communications
Brokers and traders must communicate with one another using platforms that provide record keeping so that the regulators, customers, and banks can see that all brokerage and trading behaviour is above board. “As technology evolves, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications,” SEC Chair Gary Gensler said in a statement about the fines he imposed on Barclays Capital, Bank of America Securities, Citigroup Global Markets, Credit Suisse Securities, Deutsche Bank Securities, Goldman Sachs, Morgan Stanley, and UBS Securities.
Personal devices and personal messaging services were “routinely” used by the bankers from January 2018 to September 2021, in violation of federal securities laws. “If there are allegations of wrongdoing or misconduct, we must be able to examine a firm’s books and records to determine what happened,” Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said in a statement.
The eight banks have suffered financial loss and reputational damage. Across the Atlantic, former Conservative Party Leader and Prime Minister Boris Johnson has been exposed for using the WhatsApp mobile messaging platform for vital communications during the Covid-19 pandemic. An inquiry into why the UK has the highest Covid-19 death rate in Europe is trying to secure access to Johnson’s WhatsApp messages to understand the disaster. Together these leadership and governance failures demonstrate the risks organisations face from using consumer mobile messaging platforms.
Despite these concerns, employees and customers like mobile messaging, and it has become a vital communications tool for organisations. Banks, utility firms, healthcare providers, and airlines rely on mobile messaging to provide timely and important communications. Here at NetSfere we recognise that employees and consumers like the power of mobile messaging because messages are typically responded to more quickly than email and this positively impacts productivity.
Rising risk
Consumer mobile messaging platforms are easy to use; perhaps too easy. Family groups sprang up during the pandemic, and employees soon applied the same approach to work, leading to the creation of team and even project groups. It was a similar type of behaviour that led to the trader group breaking down the compliance protocols of eight banks. This ease of use opens organisations up to risk, however. For example, during the pandemic, I was placed in a business continuity WhatsApp group set up by a major mobile telecoms operator by mistake.
Employee teams turned to consumer mobile messaging applications because they were not being given the tools and functionality to be productive. Where the SEC fine is concerned, several financial service providers initially claimed they weren’t exposed to mobile messaging risk. Then the conversation changed; some said they would ban the use of mobile messaging, but human nature tends to find a way to overcome resistance. Realistically, businesses cannot put the genie of mobile messaging back in the bottle. That’s why we firmly advocate organisations embracing mobile messaging, but using enterprise-grade platforms that provide the compliance tools to protect customers and the organisation.
Business advisory group McKinsey is concerned that mobile messaging provides a back door for data breaches. “Mobile platforms, remote work, and other shifts increasingly hinge on high-speed access to ubiquitous and large data sets, exacerbating the likelihood of a breach,” McKinsey wrote in its forecast for security issues. Adding: “During the initial wave of Covid-19, from February 2020 to March 2020, the number of ransomware attacks in the world as a whole spiked by 148 per cent, for example. Phishing attacks increased by 510 per cent from January to February 2020.”
In another paper, the advisory firm predicts that the number of threats organisations and business technology leaders face will continue to rise. By 2025 there will have been a 300 per cent increase in damages to enterprises from cybercrime when compared to the levels of 2015. Certainly, Covid and political events have accelerated the cybercrime threat, and many organisations are struggling; employees are often the soft underbelly that allows criminals to target a business. In fact, 92 per cent of cyber breaches start with employees.
Design benefits
Business technology leaders need to design and implement security strategies that embrace mobile messaging, deliver the productivity gains the technology offers, but also protect the organisation.
“Focusing on people in control design and implementation, as well as through business communications and cybersecurity talent management, will help to improve business-risk decisions and cybersecurity staff retention,” Richard Addiscott, Director Analyst at Gartner, says of the importance of designing with the end user in mind.
Security technology has been made unnecessarily complicated. Good usability is essential to ensure end users adopt and continue to use secure mobile messaging technology. Gartner believes that a more human-centred approach to designing security strategies and technologies will grow, with 50 per cent of CISOs taking this approach by 2027.
The $1.1 billion fines of eight high-profile international banks last September have acted as a warning. As a result, healthcare, regulated, and non-regulated verticals are taking a closer look at mobile messaging security and the risks it poses. Unfortunately, many mistakenly believe that the encryption offered by consumer mobile messaging systems is all the security they need, but relying on it could leave the business exposed to risk if security is not bespoke to the specific data sharing regulations of your industry, or the expectations of your customers.
A final word on privacy. In the App stores, if you go to Microsoft Teams, Slack, or WhatsApp and look at the profile it shows the data that the app collects. I am always amazed by the amount of data being collected; this is an organisation’s data that is also highly valuable to those application providers. This makes it abundantly clear that consumer mobile messaging is not as secure or as private as first imagined, and that an organisation’s data is not necessarily protected when it is managed and processed by a third party.